The Unix Heritage Society mailing list
 help / color / mirror / Atom feed
* [TUHS] Jordan Hubbard's rwall of infamy
@ 2019-01-04 22:45 Don Hopkins
  0 siblings, 0 replies; only message in thread
From: Don Hopkins @ 2019-01-04 22:45 UTC (permalink / raw)
  To: tuhs

From: jkh@violet.Berkeley.EDU (Jordan K. Hubbard)
Subject: My Broadcast
Date: 2 April 1987 at 21:45:46 CEST
To: hackers_guild@ucbvax.Berkeley.EDU, tcp-ip@sri-nic.arpa

By now, many of you have heard of (or seen) the broadcast message I sent to
the net two days ago. I have since received 743 messages and have
replied to every one (either with a form letter, or more personally
when questions were asked). The intention behind this effort was to
show that I wasn't interested in doing what I did maliciously or in
hiding out afterwards and avoiding the repercussions. One of the
people who received my message was Dennis Perry, the Inspector General
of the ARPAnet (in the Pentagon), and he wasn't exactly pleased.
(I hear his Interleaf windows got scribbled on)

So now everyone is asking: "Who is this Jordan Hubbard, and why is he on my
screen??"

I will attempt to explain.

I head a small group here at Berkeley called the "Distributed Unix Group".
What that essentially means is that I come up with Unix distribution software
for workstations on campus. Part of this job entails seeing where some of
the novice administrators we're creating will hang themselves, and hopefully
prevent them from doing so. Yesterday, I finally got around to looking
at the "broadcast" group in /etc/netgroup which was set to "(,,)". It
was obvious that this was set up for rwall to use, so I read the documentation
on "netgroup" and "rwall". A section of the netgroup man page said:

 ...

    Any of three fields can be empty, in which case it signifies
    a wild card.  Thus

               universal (,,)

    defines a group to which everyone belongs.  Field names that ...
 ...


Now "everyone" here is pretty ambiguous. Reading a bit further down, one
sees discussion on yellow-pages domains and might be led to believe that
"everyone" was everyone in your domain. I know that rwall uses point-to-point
RPC connections, so I didn't feel that this was what they meant, just that
it seemed to be the implication.

Reading the rwall man page turned up nothing about "broadcasts". It doesn't
even specify the communications method used. One might infer that rwall
did indeed use actual broadcast packets.

Failing to find anything that might suggest that rwall would do anything
nasty beyond the bounds of the current domain (or at least up to the IMP),
I tried it. I knew that rwall takes awhile to do its stuff, so I left
it running and went back to my office. I assumed that anyone who got my
message would let me know.. Boy, was I right about that!
After the first few mail messages arrived from Purdue and Utexas, I begin
to understand what was really going on and killed the rwall. I mean, how
often do you expect to run something on your machine and have people
from Wisconsin start getting the results of it on their screens?

All of this has raised some interesting points and problems.

1. Rwall will walk through your entire hosts file and blare at anyone
  and everyone if you use the (,,) wildcard group. Whether this is a bug
  or a feature, I don't know.

2. Since rwall is an RPC service, and RPC doesn't seem to give a damn
  who you are as long as you're root (which is trivial to be, on a work-
  station), I have to wonder what other RPC services are open holes. We've
  managed to do some interesting, unauthorized, things with the YP service
  here at Berkeley, I wonder what the implications of this are.

3. Having a group called "broadcast" in your netgroup file (which is how
  it comes from sun) is just begging for some novice admin (or operator
  with root) to use it in the mistaken belief that he/she is getting to
  all the users. I am really surprised (as are many others) that this has
  taken this long to happen.

4. Killing rwall is not going to solve the problem. Any fool can write
  rwall, and just about any fool can get root priviledge on a Sun workstation.
  It seems that the place to fix the problem is on the receiving ends. The
  only other alternative would be to tighten up all the IMP gateways to
  forward packets only from "trusted" hosts. I don't like that at all,
  from a standpoint of reduced convenience and productivity. Also, since
  many places are adding hosts at a phenominal rate (ourselves especially),
  it would be hard to keep such a database up to date. Many perfectly well-
  behaved people would suffer for the potential sins of a few.


I certainly don't intend to do this again, but I'm very curious as to
what will happen as a result. A lot of people got wall'd, and I would think
that they would be annoyed that their machine would let someone from the
opposite side of the continent do such a thing!

						Jordan Hubbard
						jkh@violet.berkeley.edu
						(ucbvax!jkh)

					Computer Facilities & Communications.
					U.C. Berkeley




^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-01-04 22:46 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04 22:45 [TUHS] Jordan Hubbard's rwall of infamy Don Hopkins

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).